The update of IBM Endpoint Manager for Mobile Devices last month included the new Authenticated Enrollment feature. In the article below, I’ll detail how you can easily enable this and configure user enrollment questions too.
Before you do, it’s a good idea to recap the overall MDM architecture once more. You’ll already have your Endpoint Manager server running on your internal network and the Management Extender for iOS on a server in your DMZ (servers shown below in grey). You’ll then want to have a very small server to run the Trusted Service Provider/Self-Service Portal components as highlighted in green below (I’ll cover the Self-Service Portal in a future post). Whilst I don’t see any reason why these new services couldn’t also run on your TEM server, you’d need to ensure you don’t have a possible clash with Web Reports running on port 80. For larger environments a dedicated server would be preferable. Ensure you’ve made any DMZ firewall rules as required.
Enabling Authenticated Enrollment
By default, devices can be managed by MDM without any authentication. You can now restrict access to your MDM deployment to only authenticated users who log in with a username and password from an LDAP/Active Directory service.
Start with the Setup and Configuration Wizard, and open Install Additional MDM Features. The Enrollment Server comes installed automatically on the Management Extender for iOS. So Step 1) and 2) will already be completed from your updated you completed here.
Next, click on Deploy Trusted Service Provider, which will present you with the following window:
Select the server which will host the Trusted Service Provider service (in my case IEMMDMSP1)
The IEM Server will then automatically download the required files from the Internet as shown below.
In about five minutes in my test environment, the installation was complete and the server was in a Pending Restart status. The install seemed to have completed just fine, so just to be sure all was ok, I restarted my server. Maybe I should have been more patient and waited, but all was ok. After the server restarted the status updated to Completed.
Next I configured the enrollment as shown below. Note for my Active Directory server (dc1.home.int) I deselected SSL and entered the Login Attribute of userPrincipalName. Ensure you test your settings. When you click on Configure Authenticated Enrollment, it took a minute or two for this to be all setup on the Management Extender for iOS server.
So, once all this has been setup when you enroll your iOS device you’ll now be asked to authenticate as shown below (where I’m entering in my Active Directory user account and password)
Custom Enrollment Questions
Finally, you can also present the user with a range of Custom Enrollment Questions, such as where they work, department ID, accepting an End User License Agreement (EULA). Questions can be presented with links, checkboxes, radio buttons etc. An example list of questions are shown below:
This is then presented to the user as shown below:
This information is then visible to the administrator in the console as follows:
So all done! You now have authenticated enrollment up and running. If you have any queries or feedback, please post them on the developerWorks forum here.